Attacker could use default defibrillator password to launch denial of service

A medical device security and privacy roundtable discussion at Black Hat looked at how adding more security to devices could pose risks to patients' privacy. Medical device is a term that encompasses all manner of health-related devices, but who is responsible for deploying patches when a device is vulnerable?

Jay Radcliffe freaked out the medical community in 2011 when he revealed how insulin pumps could be hacked to deliver a fatal dose of insulin (pdf). Yet at a medical device security and privacy roundtable discussion at Black Hat, Radcliffe said “it would be far easier and more likely for an attacker to sneak up behind him and deliver a fatal blow to his head with a baseball bat,” than hack his insulin pump to kill him.

He did discuss hacking implantable medical devices. There are no known cases of hacking a pacemaker in anything other than fiction, but if an attacker remotely hacked a pacemaker, no one is going to dig into the death. It would be called a heart attack and that would be the end of it because “there's no process in place right now that checks these implanted medical devices for failure or malicious activity.” Rapid7 point out, “Security often just isn't on the radar at all for the manufacturers, the pharmaceutical regulators, or even the medical professionals that work with them.”

The term “medical device” could mean a broad range of things from pacemakers to “MRI machines and echo-cardiograms and computers in the hospital running Windows XP. Mobile apps and health-related consumer-focused applications could also be considered under this broad umbrella.”

John Pescatore, who previously worked at the NSA and at the U.S. Secret Service before joining SANS, released a whitepaper based on a survey about Internet of Things security. Medical machinery and personal implanted medical devices are considered to be part of the IoT. After all, people can use SHODAN to find fetal heart monitors if they are so inclined.

Pescatore wrote:

Internet-connected computing capabilities related to smart building and industrial control systems and medical devices were the most commonly cited concerns after consumer devices. While these type of devices don’t receive much hype with respect to the IoT in the press, the use of embedded computing in those devices (versus layered operating systems and applications in PCs and servers that IT is accustomed to managing and securing) will cause major breakage in existing IT management and IT security visibility, vulnerability assessment, configuration management and intrusion prevention processes and controls.

"There are many reasons why these findings are cause for alarm," wrote Barbara Filkins. One example was: "The sheer volume of IP addresses detected in this targeted sample can be extrapolated to assume that there are, in fact, millions of compromised health care organizations, applications, devices and systems sending malicious packets from around the globe."

Those aren’t the only threats. If a person was in cardiac arrest, a defibrillator could be used to save that person’s life. But what if someone who was not authorized to use or to tweak the defibrillator settings, did so? That may be unlikely, but not impossible. Default usernames and passwords for medical devices are problematic and are “often overlooked endpoints;” they “can be easily procured by an Internet search on ‘type of device’ plus ‘default password’.”

Yesterday, the National Vulnerability Database published two advisories regarding ZOLL Defibrillators. The accompanying documents from the manufacturer describe how to change default configurations on the devices.

CVE-2007-6756 states: “ZOLL Defibrillator / Monitor M Series, E Series, and R Series have a default password for System Configuration mode, which allows physically proximate attackers to modify device configuration and cause a denial of service (adverse human health effects).”

So who is responsible for deploying the fix? The FDA guidance suggests that both hospitals and manufacturers are responsible for vulnerability management. Yet Radcliffe said that makes the problem of deploying patches even more murky. He explained that "if there is a bug in an MRI machine, the hospital will have to pay to have the manufacturer come in and update all the affected machines. Of course, the hospital could install the updates themselves, but they run the risk of losing their warranty. The hospital could also decide they don’t have the budget available to pay to have the patches installed and merely wait.”

Those defibrillators are not the only machines that with default passwords that potentially pose a risk. “Most devices have no security applications on them at all. Anyone can just get in and manipulate whatever they want,” stated an unnamed hospital chief information security officer in a McKinsey Report. Forbes looked into how a network-attached printer using the defaults of “admin” and “12345” for a password could be a “near perfect and silent entry point” for hackers.

Lastly, Radcliffe addressed how more security on medical devices could cause patients to have less privacy. For example, if a person with an implantable medical device were to die, then “who can look at a log of his or her health before death? That's a serious privacy concern, but what if it helps doctors find issues with IMDs, or detect evidence of foul play such as hacking?”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.